For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Session & origins

Share the web app cookie with the extension, register chrome-extension:// in trustedOrigins, and avoid a second auth stack.

TurboStarter does not implement a full sign-in UI in the extension. Users authenticate on the web app; the extension reuses that session.

That shrinks phishing surface and keeps one place for password, OAuth, and 2FA policies.

Trusted origins

Add your extension id to Better Auth trustedOrigins on the server:

packages/auth/src/server.ts
export const auth = betterAuth({
  trustedOrigins: [
    "chrome-extension://your-extension-id",
    // Firefox / Edge ids as needed
  ],
});

Find the id under chrome://extensions (Developer mode). Production builds get a stable id from the store - update trustedOrigins when it changes from your local unpacked id.

Why this matters

Trusted origins block CSRF-style abuse and open redirects. Only extension ids you control should be listed.

  1. User signs in on the web app (HTTPS in production)
  2. Better Auth sets the session cookie on your app domain
  3. The extension reads that cookie with the cookies permission and your app host_permissions
  4. API calls from the extension attach the session the same way the web client would

Details and config live in Auth session.

What not to do

  • Do not store the session token in chrome.storage as a long-lived substitute for httpOnly cookies when cookie sharing already works
  • Do not build a parallel password form in the popup “for convenience”
  • Do not log cookie values to analytics or Sentry
  • Do not grant host_permissions for unrelated sites “just in case”

Sign-out

Sign-out from the extension should clear the shared session so web and extension stay in sync. Verify both surfaces after you change auth plugins or cookie names.

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter